205,000 patient records exposed on misconfigured FTP server

Arkansas-based MedEvolve misconfigured its FTP server and exposed the data of 205,000 patients from two separate providers, the practice management software vendor confirmed to Healthcare IT News.

First discovered by DataBreaches.net, the FTP server was configured to allow anonymous login, did not require login credentials and failed to display a banner that would direct users to keep out of patient files.

While the database had numerous client files, only two clients were left without password protection: Pennsylvania-based Premier Urgent Care and Texas-based dermatologist Beverly Held, MD. Combined, the exposed database contained 205,000 patient rows of data. Held’s database had last been modified in 2015.

More than 11,000 records from Premier and 12,000 from Held’s office reportedly contained Social Security numbers.

The researchers promptly notified the two providers and MedEvolve of security breach, and the files were removed from public access on the same day.

A MedEvolve spokesperson said the company is aware of the security incident and “the immediate issue has been resolved.”

“The company has taken appropriate action to prevent recurrence,” the spokesperson said. “In compliance with applicable laws and regulations, MedEvolve is working with the providers involved to take appropriate action.”

“This is not a systemwide issue,” they added. “This is an isolated issue impacting one current client and one former client. MedEvolve’s servers are secure….[and the company] is committed to maintaining the privacy and security of patient information and will continue to implement safeguards and measures to protect the data housed in company systems.”

The spokesperson also said the company is still investigating the source of information, which will likely determine how long the database was left open to the public.

MedEvolve’s leak is not unique to the vendor, as misconfigured databases continue to plague the healthcare sector. Gartner estimates that about 70 to 99 percent of these cases are caused by internal misconfiguration and stressed the issue could be mitigated by better internal policies of the organization’s IT infrastructure.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.